On paper, the new process seems more secure than Aadhaar. But is the cat already out of the bag?

After years of criticism about the weakness of Aadhaar systems and the dangers they pose to privacy, the Unique Identification Authority of India on Wednesday introduced a new process that it hopes will be more secure. The “Virtual ID” is supposed to replace your 12-digit biometric-based Aadhaar number, allowing you to use it for authentication without giving away the Unique ID itself. Although the Unique Identification Authority of India did not say it in as many words, the changes are an admission of the serious risks in others having access to your Aadhaar number, especially with at least 210 official websites found to be displaying them for all to see.

But what is Virtual ID?

According to a circular issued by the Unique Identification Authority of India on Wednesday, Virtual ID will be a 16-digit random number that is mapped to your Aadhaar number. Once you have generated a Virtual ID, you can provide that 16-digit number, instead of your Aadhaar number, to any agency seeking to use Aadhaar to authenticate you.

For most people, the key takeaway is that, starting March 1, they will have to generate a Virtual ID and will have to use that instead of Aadhaar for any sort of authentication.

How does it work?

According to the circular, the Virtual ID will be mapped with the Aadhaar number, but is otherwise a random-generated number just like the Unique ID. This means that someone who only has access to your Virtual ID should not be able to use that to derive your Aadhaar number.

When you give your Virtual ID to an authentication agency, say a telecom company or a local government body, they will enter it into the system and then receive a UID token that authenticates it, and provides a limited set of demographic details, such as your name, phone number, address and so on. Simply put, these agencies will now be able to authenticate you without ever actually seeing your Aadhaar number.

The Unique Identification Authority of India has made it mandatory for agencies to start using Virtual ID by June 1. (Credit: Narinder Nanu / AFP)

How is it different from Aadhaar/how is it more secure?

A major concern regarding Aadhaar is how easily companies or government bodies that have access to it can store those numbers. Making matters worse is how easily one can use an Aadhaar number to unearth demographic data about a person, as TheTribunereported last week. Though the Unique Identification Authority of India has spent years insisting that the Aadhaar number itself is not dangerous if leaked, when coupled with demographic data, it lends itself to either profiling or financial fraud, which has taken place in the past.

The new system attempts to add a layer of security over this, by making it more difficult for agencies to get access to your Aadhaar number. Until now, wherever authentication was necessary, you simply gave them your Aadhaar number or biometrics. Though the Aadhaar Act made it illegal to store that data unless authorised, it was impossible to say what agencies or individuals were doing it.

The new system avoids that potential loophole altogether, by making sure agencies do not have access to your Aadhaar number in the first place. Instead, they are only shown your Virtual ID and receive a UID token that confirms it is mapped to your Aadhaar number. The Unique Identification Authority of India claims it will not be possible to derive the Aadhaar number from the Virtual ID. Moreover, different agencies will be given different UID tokens to authenticate the same Aadhaar – meaning they will not simply be able to merge their information and build a picture of the Virtual ID holder.

A key aspect of the security is that the Virtual ID is temporary and revocable. This means that it matters less if an agency stores your Virtual ID in the hope of profiling you, since Virtual IDs are not permanent and can change. The Unique Identification Authority of India has indicated that it will have an upper time limit for Virtual IDs.

Is it really more secure?

On paper, the process is more secure. But the question it prompts is, why was this not in place all along? The idea of the Virtual ID is to prevent agencies from collecting and storing individual Aadhaar numbers with demographic data. But government agencies have themselves been leaking Aadhaar numbers and it is entirely possible, given the way the internet works, that the entire Aadhaar database – with the UIDs and demographic data – has already been copied, either piecemeal or altogether. The process will be more secure from here on, but the cat may already be out of the bag.

I have Aadhaar. What do I need to do?

The new system will not be in place until March 1, and the Unique Identification Authority of India has made it mandatory for agencies to start using Virtual ID by June 1. Assuming it sticks to these deadlines, every Aadhaar holder will have to generate their Virtual IDs between March 1 and June 1. This can be done on the Unique Identification Authority of India’s website, at Aadhaar Enrolment Centres and on the mAadhaar mobile app. From June 1, you will need to use this Virtual ID instead of Aadhaar in most authentication circumstances.

What do we not know yet?

The big question is the time limit connected to the Virtual ID.

Remember, Aadhaar was originally envisioned as a way of improving welfare delivery and providing an identity to those who do not have any. Yet, the poor and the needy, the ones who already find themselves excluded by Aadhaar, now have to make that extra effort to generate a Virtual ID in order to access subsidies or even entry to night shelters. The Unique Identification Authority of India has said Virtual ID will be temporary, which is what makes it more secure than Aadhaar, but it has not announced how long one Virtual ID will be usable.

Too short a time, say a few months, and it will be a massive inconvenience to those who need Aadhaar the most, since they are unlikely to have access to the mAadhaar app or the time to line up at an enrolment centre just to generate Virtual IDs. Too long a time, and the Virtual ID will just replace the Aadhaar number, allowing conmen to use demographic data connected to the Virtual ID in attempts to defraud Aadhaar holders.